Then, the only time you should have a set-cookie parameter coming back from the server is when you are trying to uniquely identify the connection. If it's because they just POSTed or similar, that's already going to evade the cache. If it's because you simply want to uniquely identify them, then the problem is your application's code intentionally breaking Varnish; fix your app if you can, otherwise you can override vcl_fetch similar to what you're doing here.